Failure to reconnect to ldaps server after idle_timeout

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Mar 10 20:48:17 CET 2015


> On 10 Mar 2015, at 13:48, Stefan Paetow <Stefan.Paetow at jisc.ac.uk> wrote:
> 
>> TLS: could not shutdown NSS - error -8053:NSS could not shutdown. Objects are still in use..
>> rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase "spare"
>> rlm_ldap (ldap): Opening additional connection (7), 1 of 32 pending slots used
>> rlm_ldap (ldap): Connecting to ldap://ldap.example.com:636
>> TLS: could not find the slot for the certificate '/etc/raddb/certs/ldap-ca.pem' - error -8127:The security card or token does not exist, needs to be initialized, or has been removed..
>> TLS: /etc/raddb/certs/ldap-ca.pem is not a valid CA certificate file - error -8127:The security card or token does not exist, needs to be initialized, or has been removed..
>> TLS: could not perform TLS system initialization.
>> TLS: error: could not initialize moznss security context - error -8127:The security card or token does not exist, needs to be initialized, or has been removed.
>> TLS: can't create ssl handle.
>> rlm_ldap (ldap): Bind with cn=Radius,o=Example,c=XX to ldap://ldap.example.com:636 failed: Can't contact LDAP server
>> TLS: could not shutdown NSS - error -8053:NSS could not shutdown. Objects are still in use..
>> rlm_ldap (ldap): Opening connection failed (7)
>> (28)     [ldap] = fail
> 
> I've seen this at STFC before... but despite my prodding, this was not raised on the list. :-/

OpenLDAP built against NSS is not compatible with rlm_ldap when used with Start TLS or LDAPS, see here:

	https://github.com/FreeRADIUS/freeradius-server/pull/866

It's not something that can be fixed our side. The OpenLDAP guys say they're not responsible for the
NSS bindings. It's an issue you'll need to raise with Redhat.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150310/86fbfa8d/attachment.sig>


More information about the Freeradius-Users mailing list